A Framework for Managing User-defined Security Policies to Support Network Security Functions Eunsoo Kim Sungkyunkwan University Republic of Korea eskim86@skku.edu Kuyju Kim Sungkyunkwan University Republic of Korea kuyjukim@skku.edu Seungjin Lee Sungkyunkwan University Republic of Korea jine33@skku.edu Jaehoon (Paul) Jeong Sungkyunkwan University Republic of Korea pauljeong@skku.edu Hyoungshick Kim Sungkyunkwan University Republic of Korea hyoung@skku.edu ABSTRACT Network Functions Virtualization (NFV) and Software Defned Net- working (SDN) make it easier for security administrators to manage security policies on a network system. However, it is still chal- lenging to map high-level security policies defned by users into low-level security policies that can be applied to network security devices. To address this problem, we introduce a framework for efectively managing user-defned security policies for network security functions based on standard interfaces that are currently being standardized in an IETF working group. To show the feasibil- ity of the proposed framework, we implemented a prototype based on the RESTCONF protocol and showed that the proposed frame- work can be applied in real-world scenarios for network separation, DDoS mitigation and ransomeware prevention. CCS CONCEPTS · Networks → Network architectures; Middle boxes / network ap- pliances; Network management ; KEYWORDS Security management; Security policy; NSF; ACM Reference Format: Eunsoo Kim, Kuyju Kim, Seungjin Lee, Jaehoon (Paul) Jeong, and Hyoung- shick Kim. 2018. A Framework for Managing User-defned Security Policies to Support Network Security Functions. In Proceedings of The 12th Inter- national Conference on Ubiquitous Information Management and Commu- nication (IMCOM ’18), Jennifer B. Sartor, Theo D’Hondt, and Wolfgang De Meuter (Eds.). ACM, New York, NY, USA, 8 pages. https://doi.org/10.1145/ 3164541.3164569 Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specifc permission and/or a fee. Request permissions from permissions@acm.org. IMCOM ’18, January 2018, Langkawi, Malaysia © 2018 Association for Computing Machinery. ACM ISBN 978-1-4503-6385-3/18/01. . . $15.00 https://doi.org/10.1145/3164541.3164569 1 INTRODUCTION Defning security policies for a network system is a difcult and complicated task that often requires deep knowledge of a particu- lar vendor’s protocols and network commands. This has been the biggest challenge for system administrators who are responsible for managing network systems. This problem is further amplifed for network environments with Network Security Functions (NSFs) provided by multiple vendors with proprietary interfaces [11]. In many situations, NSFs can be used to achieve security goals such as integrity, confdentiality and availability to protect a network system by detecting malicious trafc and/or reducing the impact of cyber attacks on the network system [7]. In practice, however, it is very cumbersome to manage and enforce various security policies and confgurations on NSFs due to various business requirements and the complexity of security practices for satisfying those require- ments. The detailed challenging issues are as follows: First, it is not easy to consider new security requirements and the corresponding security rules in a timely way in response to adaptive and sophisticated attacks which are evolved over time. Second, the cost of managing security policies is likely to increase because multiple vendors’ network devices and security solutions can typically be used in a mixed way for a network system. In general, each vendor uses its own proprietary interface, which makes system administrators harder to set up vendor-specifc rules and confgurations. Third, large companies generally require very complicated security requirements for various users and devices, which may produce complicated security rules. To address those issues, several architectures were introduced based on Software-Defned Networking (SDN) and Network Func- tions Virtualization (NFV). For example, the Internet engineering Task Force (IETF) Interface to Network Security Functions (I2NSF) working group aims to defne and implement standard interfaces for controlling and managing NSFs. This standardization defnes an architecture and interfaces for network security services using SDN and NFV. However, it is still unclear how (relatively compli- cated) high-level security policies defned by users can be mapped into low-level security policies for network devices, and then the low-level security policies can be confgured on those devices. In this paper, we propose a framework to efectively translate high-level security policies for users into low-level security poli- cies for network devices. To show the feasibility of the proposed